New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Program crash due to Out-of-memory in function tinyexr::AllocateImage #104

Closed
wcventure opened this Issue Dec 31, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@wcventure
Copy link

wcventure commented Dec 31, 2018

Hi, there.

I test the program at the master branch.

commit b3eb24bf635c0ed92f1080a1b269bc8271cbb919
Author: Syoyo Fujita <syoyo@lighttransport.com>
Date:   Mon Dec 24 20:33:23 2018 +0900

    Add IsEXR() API.

An Out of Memory problem was discovered in function tinyexr::AllocateImage in tinyexr.h. The program tries to allocate with a large number size( 0x1b80011b980 bytes) of memory. Program crash because of terminating called after throwing an instance of 'std::bad_alloc'

Please use the "./test_tinyexr $POC" to reproduce the bug.
POC.zip

I will show you the output as follow.

$ ./test_tinyexr ./POC
terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc
Aborted
@wcventure

This comment has been minimized.

Copy link

wcventure commented Dec 31, 2018

I have confirmed them with address sanitizer too.

==31473==ERROR: AddressSanitizer failed to allocate 0x1b80011b980 bytes
==31473==AddressSanitizer's allocator is terminating the process instead of returning 0
==31473==AddressSanitizer CHECK failed: /llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225 "((0)) != (0)" (0x0, 0x0)
    #0 0x4e4895 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /llvm-6.0.1/projects/compiler-rt/lib/asan/asan_rtl.cc:69
    #1 0x502155 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
    #2 0x4eac96 in __sanitizer::ReportAllocatorCannotReturnNull() /llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:225
    #3 0x4eacd6 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() /llvm-6.0.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:241
    #4 0x420b86 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /llvm-6.0.1/projects/compiler-rt/lib/asan/asan_allocator.cc:856
    #5 0x4db71b in __interceptor_malloc /llvm-6.0.1/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:89
    #6 0x54e665 in tinyexr::AllocateImage(int, _EXRChannelInfo const*, int const*, int, int) /tinyexr/./tinyexr.h:9793:34
    #7 0x5457b7 in tinyexr::DecodeChunk(_EXRImage*, _EXRHeader const*, std::vector<unsigned long long, std::allocator<unsigned long long> > const&, unsigned char const*) /tinyexr/./tinyexr.h:10159:25
    #8 0x526cbf in tinyexr::DecodeEXRImage(_EXRImage*, _EXRHeader const*, unsigned char const*, unsigned char const*, char const**) /tinyexr/./tinyexr.h:10289:10
    #9 0x525b1a in LoadEXRImageFromMemory /tinyexr/./tinyexr.h:10597:10
    #10 0x51c735 in LoadEXRImageFromFile /tinyexr/./tinyexr.h:10574:10
    #11 0x54aa58 in main /tinyexr/test_tinyexr.cc:270:11
    #12 0x7f870cdf082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41b818 in _start (/tinyexr/test_tinyexr+0x41b818)
@wcventure

This comment has been minimized.

Copy link

wcventure commented Dec 31, 2018

Here are some different POC
POC_addtion.zip

$ ./test_tinyexr ./POC1
terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc
Aborted
$ ./test_tinyexr ./POC2
terminate called after throwing an instance of 'std::out_of_range'
  what():  vector::_M_range_check: __n (which is 0) >= this->size() (which is 0)
Aborted

@syoyo syoyo closed this in 65f9859 Dec 31, 2018

@syoyo syoyo added the bug label Dec 31, 2018

@syoyo

This comment has been minimized.

Copy link
Owner

syoyo commented Dec 31, 2018

There are two situations.

  • try to allocate zero sized data.
  • try to allocate 1TB or ore memory(Some? AddressSanitizer does not support memory larger than 1TB)

I have added a work around for the latter case, but it is recommended to check the return value of malloc. You can contribute PR!

@syoyo syoyo added the help wanted label Dec 31, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment